1

So I'm doing a cross origin request (have tried via AngularJS, AJAX, and XMLHttpRequest) neither of them allow me to set the headers. I can send requests POST, GET... with and without data and it works fine, as soon as I add headers:

xhr.setRequestHeader("user","someUser");

or AJAX

headers: {"user":"someUser"}

I get the error:

405 (Method Not Allowed)
XMLHttpRequest cannot load http://testsite.com Invalid HTTP status code 405

From the backend side of things I am allowing all origins:

header("Access-Control-Allow-Origin: *");

Not sure what the problem can be anymore...

matt
  • 2,312
  • 5
  • 34
  • 57
  • IIS? http://stackoverflow.com/questions/12458444/enabling-cross-origin-resource-sharing-on-iis7/14631068#14631068 – mplungjan Jun 16 '15 at 12:45
  • The response code 405 (Method Not Allowed) _should mean_ that you're attempting a method (GET, PUT, PATCH, POST, DELETE, OPTIONS, TRACE) that the server is not accepting. Since you say it's working without body content, it seems to me that your back end may be sending an incorrect response code. Either way, confirm you're sending well-formed data via your dev tools by inspecting the POST/etc request and then trouble shoot the back end; look for a trace log, if available. – Eric McCormick Jun 16 '15 at 12:48
  • @mplungjan I'm on a LAMP environment, using Zend Framework 2 by the way – matt Jun 16 '15 at 12:49
  • @EricMcCormick looking at my log files every time I send a `POST` request via AJAX the server sees it as an `OPTIONS` request, don't know why that happens if I am already allowing all origins `Access-Control-Allow-Origin: *` – matt Jun 16 '15 at 12:58
  • 1
    When you add a custom header it is no longer a simple CORS request. It makes an OPTIONS request first. If that is not enabled on your server then fails. See "Preflighted request" in [MDN HTTP access control CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS) – Yogi Jun 16 '15 at 13:01
  • Regardless of what you set as the accepting origin, the rules of CORS mean that a different port (or different server name) require [a "preflighted request" of type OPTIONS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests) (which exposes `Access-Control-Allow-Methods` and`Access-Control-Allow-Origin` from a server response), before sending your actual request. – Eric McCormick Jun 16 '15 at 13:02
  • @EricMcCormick So is there anything that I can do in the backend to allow this to happen instead of returning 405? – matt Jun 16 '15 at 13:07
  • 1
    it seems to be complaining about `OPTIONS` preflight, so you would want to ensure that it accepts `OPTIONS` and returns correctly. An `OPTIONS` request should return a response with no body, have response code `204`, and contain at minimum the headers of `Access-Control-Allow-Methods` and `Access-Control-Allow-Origin` (and `Access-Control-Allow-Credentials`, if applicable). I recommend reading up on [CORS on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS) or checking out the [HTML5 Rocks tutorial](http://www.html5rocks.com/en/tutorials/cors/). – Eric McCormick Jun 16 '15 at 13:23

1 Answers1

1
var myApp = angular.module('myApp', [
    'myAppApiService']);

myApp.config(['$httpProvider', function($httpProvider) {
        $httpProvider.defaults.useXDomain = true;
        delete $httpProvider.defaults.headers.common['X-Requested-With'];
    }
]);

Try adding this config....

Gnanadurai A
  • 278
  • 1
  • 2
  • 15